Scribd
Upload
255 views27 pages

Web Goat Lab Sesions 1

This document provides an overview of a security course covering various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking. It discusses how attacks have shifted from operating systems to applications and explains the architecture of web applications. The course consists of several lab sessions where students can practice exploiting vulnerabilities in a safe environment using the WebGoat training platform.

Uploaded by

aldozp1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
255 views27 pages

Web Goat Lab Sesions 1

This document provides an overview of a security course covering various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking. It discusses how attacks have shifted from operating systems to applications and explains the architecture of web applications. The course consists of several lab sessions where students can practice exploiting vulnerabilities in a safe environment using the WebGoat training platform.

Uploaded by

aldozp1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

Security Course

WebGoat Lab sessions

WebGoat Lab sessions overview


Initial Setup

Tamper Data
Web Goat
Lab Session 2

HTTP Basics
Sniffing
Parameter Tampering
Lab Session 3

SQL Injection
XSS

Lab Session 4

Access Control, session


information stealing
Lab Session 5

Authentication Flaws
Password cracking

Lab Session 6

Session Fixation/Stealing,
Phishing

Why are webapplications a raising concern

Attacks Used to be on the Operating Systems


Now it is easier to attack the (web) applications.
See any statistics
Why is that so?

OLD

New

What is the difference?

The difference
Which parts are vulnerable?

Client

internet

internet

Client:
Vulnerable, nothing we can do
about this
Webserver:
Vulnerable, but easy to harden
Static http page:
Invulnerable
WebApplication and Database:
Very vulnerable
you can have them do something
for you and
they have access to a lot of
information (usernames,
passwords)

Client

webserver

webserver

static http page

webapplication

database

WEB APPLICATION
ARCHITECTURE

Web Application Architecture

HTTP Request
Web Goat

HTTP
Response

Web server

User
Sends requests to the services
he wants to use (e.g. Facebook,
Google, YouTube)

Web servers listen for users requests and


sends the response (either he wants to listen
a song, or visit a friends profile)

Intruder

Can play the role of the user, and modify the HTTP request and response
Can access directly the web servers to exploit vulnerabilities

HTTP Request/Response
While browsing, every time an action is taken, a HTTP
Request is created
The HTTP Request goes from the browser to the web
server
The web server make some elaboration (e.g. verify if you
are a registered user) and send back a HTTP Response

HTTP Request
HTTP Response

HTTP Request

HTTP REQUEST

HTTP Response

INITIAL SETUP

Tamper Data

Tamper Data is a tool allowing you to intercept and modify Request/Response from your Mozilla
Firefox Browser

If not yet installed, you can download it here: https://addons.mozilla.org/enus/firefox/addon/tamper-data/

You have to click on Start Tamper to start intercepting Request/Response

Note that this will intercept, and let you see the HTTP request/response, all your internet traffic

you have to Stop Tamper to get back to normal browsing

WEB GOAT (1)


Close your Internet Connection (your machine is extremely
vulnerable when WebGoat is running)
Go to the folder containing your WebGoat installation
Execute the webgoat_8080.bat file

WEB GOAT (2)


Type the address http://localhost:8080/WebGoat/attack
in Mozilla Firefox
Login as username = guest and pwd= guest

WEB GOAT Setup


Press Start WebGoat to access the Lesson Section

LAB SESSION 2

Where to find exercises in WebGoat


Lab Session 2
HTTP Basics:
General
HTTP Basics

Sniffing:
Insecure Communication
Insecure login

Parameter Tampering:
Parameter Tampering
Bypass HTML Field Restrictions
Exploit Hidden Fields

Lab Session 3
SQL Injection
Injection Flaw
Modify data with SQL injection

XSS
Xross-Site-Scripting (XSS)
Stage 1: Stored XSS

Lab Session 4
Access Control
Access Control
Stage 3: Bypass Data Layer
Access Control

HTTP Basics - Exercise

Goal: meet WebGoat and TamperData.


Exercise:
Go to; exercise General Http Basics
Insert your name in the input field and start the tampering
Modify the parameter person in the HTTP request in such a way
to get back the string webgoat as response from the server

HTTP Basics - Solution


Change the value of person to taogbew
The server will reverse it and you will get webgoat as final
response.

2/22/2013

HTTP Basics - Lesson learned


When parameters are in clear (i.e. not encrypted) they
can be easily changed by who is listening your internet
traffic.
In this case it was only your name
But
Assume you want to make a payment of 800 Euro to the
account of your landlord and insert 12345 as the account
number
The attacker can change such number to 34566 (his
account number)
In this way he managed to steal 800 Euro from you

2/22/2013

Sniffing - Exercise

Goal: Steal the password of the user Jack


Exercise:
Go to Insecure Communication Insecure Login
Press the button Submit and use Tamper Data to steal the password
2/22/2013

Sniffing - Solution
Start tampering then press the Submit button
Get the value of the field clear_pass
The solution is sniffy

2/22/2013

Sniffing - Lesson learned


You performed your first sniffing attack
You intercepted the traffic of your victim and stolen his
password
If this is the same password he uses for his internet
banking (or email account) you can now easily access it

2/22/2013

Parameter Tampering Exercise

Goal: change the total amount charged to your credit card


Exercise:
Go to Parameter Tampering Exploit Hidden Fields
Purchase the TV for 1$
2/22/2013

Parameter Tampering Solution


Start Tampering Data then press the button Purchase
Change the parameter Price to the value 1.00$
If successful you will get a Congratulations message

Lesson learned
You used your recently learned hacking skills to gain
personal advantages
You paid 1$ a product worth 3000$

Why is that possible?


The web server is not checking that youre paying the right
amount of money
An hacker who knows this vulnerability is able to exploit it

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy